AnsweredAssumed Answered

[R77.30] Adding LDAP group to the existing rule using dbedit

Question asked by Jozko Mrkvicka on Dec 15, 2018

Hello mates,


First of all, I know that this is easy task in R80, but we are running R77.30 and we cannot upgrade.


I would like to know if there is any possibility to add LDAP group to the already created rule in R77.30.

AFAIK, the only R77.30 tool which is capable of, is dbedit (correct me if I am wrong).

I have following rule:

My goal is to add new LDAP group (which is already created) to the rule, so the rule will look like this:


According to R77 CLI Refference Guide, this is possible by following dbedit command:

addelement fw_policies ##<policy_package> rule:<number>:src:'' <table>:<name_of_object>

I was able to add for example network object to the rule number 4 (dbedit is indexing rules from 0, and is taking into consideration also the sections as "rules"), but not LDAP group, which is part of "users" table.


This is what I is seen from dbedit command "print fw_policies" for this particular source (SECOND_LDAP@Any) which was added manually:










How I am supposed to add new LDAP group to the source of existing rule via "addelement" command ?

I have tried following commands, all failed with error after "update_all"

addelement fw_policies ##Standard rule:5:src:'' users:TEST_LDAP

addelement fw_policies ##Standard rule:5:src:'' users:TEST_LDAP@Any

addelement fw_policies ##Standard rule:5:src:'' usrgroup:TEST_LDAP

addelement fw_policies ##Standard rule:5:src:'' usrgroup:TEST_LDAP@Any

addelement fw_policies ##Standard rule:5:src:'' external_group:TEST_LDAP

addelement fw_policies ##Standard rule:5:src:'' external_group:TEST_LDAP@Any

I am getting following error:

fw_policies::##Standard Validation error in field 'rule' of rule #4 at object '##Standard' @ 'Security Policies' --> Validation error in field 'Source' --> Validation error in field '' of element #1 --> comparing external_group in {workstation,network,domain,OSE_device,embedded_device,network_object_group,address_range,dynamic_object,group_with_exception,logical_server,gateway_cluster,gsn_handover_group,any_object,voip_SIP_domain,voip_GK_domain,voip_GW_domain,voip_Skinny_domain,voip_MGCP_domain,site_object,cluster_member,multiple_address_range,security_zone,identity_role}
Object contain invalid reference for fw_policies::##Standard

Maybe you are asking why I want this - the answer is that I need to add specific LDAP group to the around 4000 rules, therefore automation is really good approach


I would be more than happy if someone can assist me with this task.


Thanks for every comment.